Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
11 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Login and Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Firewall Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Traffic Meter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Routing Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 LAN to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 LAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 DMZ to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 WAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 Appendix C Two-Factor Authentication Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . . . . . 662 What Is Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . . . . . . . . 663 Appendix D Default Settings and Technical Specifications Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 Index
12 1 1. Get an Overview of the Features and Hardware and Log In This chapter provides an overview of the features and capabilities of the NETGEAR ProSAFE® Dual WAN Gigabit SSL VPN Firewall for model FVS336Gv2 and explains how to log in to the device and use its web management interface. The chapter contains the following sections: •What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall? •Key Features and Capabilities •Package Contents •Hardware Features •Choose a Location for the VPN Firewall •Rack-Mount the VPN Firewall with the Mounting Kit •Login Requirements •Log In to the VPN Firewall as an Administrator •Change the Password for the Default Administrator Account Note:For more information about the topics covered in this manual, visit the support website at support.netgear.com. Note:Firmware updates with new features and bug fixes are made available from time to time at downloadcenter.netgear.com. Some products can regularly check the site and download new firmware, or you can check for and download new firmware manually. If the features or behavior of your product does not match what is described in this guide, you might need to update your firmware.
Get an Overview of the Features and Hardware and Log In 13 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall? The ProSAFE Dual WAN Gigabit SSL VPN Firewall, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable or DSL modems or satellite or wireless Internet dishes. Two wide area network (WAN) ports allow you to increase the effective data rate to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup connections in case of failure of your primary Internet connection. The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels. The VPN firewall is a security solution that protects your network from attacks and intrusions. For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple web content filtering options, plus browsing activity reporting and instant alerts—both through email. Network administrators can establish restricted access policies based on time of day, website addresses, and address keywords. The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data transfer speeds. The VPN firewall is a plug-and-play device that you can install and configure in a short time. Key Features and Capabilities This section includes the following topics: •Two WAN Ports for Increased Reliability and Load Balancing •Advanced VPN Support for Both IPSec and SSL •A Powerful, True Firewall with Content Filtering •Security Features •Autosensing Ethernet Connections with Auto Uplink •Extensive Protocol Support •Easy Installation and Management •Maintenance and Support The VPN firewall provides the following key features and capabilities: •Two 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover protection of your Internet connection, providing increased data rate and increased system reliability
Get an Overview of the Features and Hardware and Log In 14 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer between local network resources and support for up to 200,000 internal or external connections •Both IPv4 and IPv6 support •Advanced IPSec VPN and SSL VPN support with support for up to 25 concurrent IPSec VPN tunnels and up to 10 concurrent SSL VPN tunnels •Bundled with a single-user license of the NETGEAR ProSAFE VPN Client software (VPN01L) •L2TP tunnel and PPTP tunnel support •Advanced stateful packet inspection (SPI) firewall with multi-NAT support •Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia •Extensive protocol support •One console port for local management •SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for the NETGEAR ProSAFE Network Management Software (NMS200) over a LAN connection •Front panel LEDs for easy monitoring of status and activity •Flash memory for firmware upgrade •Internal universal switching power supply •Rack-mounting kit for 1U rackmounting Two WAN Ports for Increased Reliability and Load Balancing The VPN firewall provides two broadband WAN ports. These WAN ports allow you to connect additional broadband Internet lines that can be configured to do the following: •Load-balance outbound traffic for maximum bandwidth efficiency. •Provide backup and rollover if one line is inoperable, ensuring that you are never disconnected. You can implement the following capabilities with multiple WAN port gateways: •Single or multiple exposed hosts •Virtual private networks (VPNs) For information about planning a network with such capabilities, see Appendix A, Network Planning for Multiple WAN Ports.
Get an Overview of the Features and Hardware and Log In 15 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Advanced VPN Support for Both IPSec and SSL The VPN firewall supports IPSec and SSL virtual private network (VPN) connections: •IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer. -IPSec VPN with broad protocol support for a secure connection to other IPSec gateways and clients. -Up to 25 simultaneous IPSec VPN connections. -Bundled with a 30-day trial license for the ProSAFE VPN Client software (VPN01L). •SSL VPN provides remote access for mobile users to selected corporate resources without requiring a preinstalled VPN client on their computers. -Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories. -Up to 10 simultaneous SSL VPN connections. -Allows browser-based, platform-independent remote access through a number of popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. -Provides granular access to corporate resources based on user type or group membership. A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities: •DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN flood. •Secure firewall. Blocks unwanted traffic from the Internet to your LAN. •Content filtering. Prevents objectionable content from reaching your computers. You can control access to Internet content by screening for web services, web addresses, and keywords within web addresses. •Schedule policies. Permits scheduling of firewall policies by day and time. •Logs security incidents. Logs security events such as logins and secure logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your email address or email pager when a significant event occurs.
Get an Overview of the Features and Hardware and Log In 16 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Security Features The VPN firewall is equipped with several features designed to maintain security: •Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN. •Port forwarding with NAT. Although NAT prevents Internet locations from directly accessing the computers on the LAN, the VPN firewall allows you to direct incoming traffic to specific computers based on the service port number of the incoming request. •DMZ port. Incoming traffic from the Internet is usually discarded by the VPN firewall unless the traffic is a response to one of your local computers or a service for which you configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your network. Autosensing Ethernet Connections with Auto Uplink With its internal four-port 10/100/1000 Mbps switch and two 10/100/1000 WAN ports, the VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port then configures itself correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection. Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). The VPN firewall provides the following protocol support: •IP address sharing by NAT. The VPN firewall allows many networked computers to share an Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account. •Automatic configuration of attached computers by DHCP. The VPN firewall dynamically assigns network configuration information, including IP, gateway, and Domain Name Server (DNS) addresses, to attached computers on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network. •DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN firewall provides its own address as a DNS server to the attached computers. The firewall
Get an Overview of the Features and Hardware and Log In 17 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. •PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. •Quality of Service (QoS). The VPN firewall supports QoS, including traffic prioritization and traffic classification with Type of Service (ToS) and Differentiated Services Code Point (DSCP) marking. •Layer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual private networks (VPNs). •Point to Point Tunneling Protocol (PPTP). Another tunneling protocol that is used to support VPNs. Easy Installation and Management You can install, configure, and operate the VPN firewall within minutes after connecting it to the network. The following features simplify installation and management tasks: •Browser-based management. Browser-based configuration allows you to easily configure the VPN firewall from almost any type of operating system, such as Windows, Macintosh, or Linux. Online help documentation is built into the browser-based web management interface. •Auto-detection of ISP. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account. •IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so that you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients. •SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2. •Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such as ping, traceroute, DNS lookup, and remote reboot. •Remote management. The VPN firewall allows you to log in to the web management interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses. •Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: •Flash memory for firmware upgrades. •Technical support seven days a week, 24 hours a day. Information about technical support is available at support.netgear.com.
Get an Overview of the Features and Hardware and Log In 18 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Package Contents The VPN firewall product package contains the following items: •Dual WAN Gigabit SSL VPN Firewall •One AC power cable •One Category 5 (Cat 5) Ethernet cable •One rack-mounting kit •ProSAFE Dual WAN Gigabit SSL VPN Firewall FVS336Gv2 Installation Guide •Resource CD, including the following: -Application notes and other helpful information -ProSAFE VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Hardware Features The front panel ports and LEDs, back panel ports, and bottom label of the VPN firewall are described in the following sections: •Front Panel •Back Panel •Bottom Panel with Product Label Front Panel Viewed from left to right, the VPN firewall front panel contains the following ports: •LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors •WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors The front panel also contains three groups of status LEDs, including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in the following table.
Get an Overview of the Features and Hardware and Log In 19 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 1. Front panel Table 1. LED descriptions LEDActivityDescription Power Green Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall. Test Amber during startup Test mode. The VPN firewall is initializing. After approximately two minutes, when the VPN firewall has completed its initialization, the Test LED turns off. Amber during any other timeThe initialization failed or a hardware failure occurred. Blinking amber The VPN firewall is writing to flash memory during a firmware upgrade or when you reset the VPN firewall to defaults. Off The VPN firewall has booted successfully. LAN Ports Left LED Green The LAN port detects a link with a connected Ethernet device. Blinking green The LAN port receives or transmits data. Off The LAN port has no link. Right LED Green The LAN port operates at 1000 Mbps. Amber The LAN port operates at 100 Mbps. Off The LAN port operates at 10 Mbps. DMZ LED Green LAN port 4 operates as a dedicated hardware DMZ port. Off LAN port 4 operates as a normal LAN port. Power LED Test LEDLeft LAN LEDs Right LAN LEDsDMZ LEDLeft WAN LEDs Right WAN LEDs Internet LEDs
Get an Overview of the Features and Hardware and Log In 20 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Back Panel The back panel of the VPN firewall includes a console port, a cable security lock receptacle, a recessed Factory Defaults reset button, and an AC power connection. Figure 2. Back panel Viewed from left to right, the back panel contains the following components: •Console port. Port for connecting to an optional console terminal. The port has a DB9 male connector. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd. For information about accessing the command-line interface (CLI) using the console port, see Use the Command-Line Interface on page 537. •Cable security lock receptacle. WAN Ports Left LED Green The WAN port has a valid connection with a device that provides an Internet connection. Blinking green The WAN port receives or transmits data. Off The WAN port has no physical link, that is, no Ethernet cable is plugged into the VPN firewall. Right LED Green The WAN port operates at 1000 Mbps. Amber The WAN port operates at 100 Mbps. Off The WAN port operates at 10 Mbps. Internet LED Green The WAN port has a valid Internet connection. Amber The Internet link is down because the WAN port is in standby mode for failover. Also, before the connection is up, there is an amber color for a short period of time. Off The WAN port is either not enabled or has no link to the Internet. Table 1. LED descriptions (continued) LEDActivityDescription Cable security Console portFactory Defaults AC power receptacle lock receptclereset button